One former NSA employee calls it "a perfect case example of why cryptographic backdoors are so dangerous in the real world.”

The Department of Homeland Security and federal agencies are in incident-response mode as they work to remove listening posts in software planted by suspected cyberspies.

The unauthorized code can allow attackers to invisibly decrypt communications passing through widely-used Juniper Networks firewalls, according to the company. The existence of the three-year old bug was disclosed on Dec. 17. The government has spent about $13 million on Juniper products since 2012, according to the federal funding-tracker USASpending.gov.

Currently, the government is scouring its IT inventory to identify affected Juniper systems — plus any information that ever touched a Juniper firewall.

It is believed a foreign party rigged the software. Reports this week suggested the assailants might have taken advantage of a weakness that the National Security Agency allegedly placed in a popular encryption formula.

Subscribe

Receive daily email updates:

Subscribe to the Defense One daily.

Be the first to receive updates.

Dave Aitel, who worked at the code-breaking agency and now serves as chief technology officer at cybersecurity firm Immunity, said the discovery of an unauthorized backdoor in Juniper’s encryption program demonstrates precisely why even legal backdoors can backfire. The hack reinvigorated an already tense debate about encrypted communications, which consumers increasingly are using for privacy and terrorists increasingly are using to evade law enforcement’s eyes and ears. The FBI wants tech providers to be able to break coded messages, when served with a warrant.

“We have every presidential candidate talking about crypto backdoors and no one can really point to why they are so dangerous,” Aitel said. But the Juniper software tampering is “a perfect case example of why cryptographic backdoors are so dangerous in the real world.”

As it happens, DHS Secretary Jeh Johnson, whose agency is responsible for helping agencies fix the Juniper vulnerabilities, recently raised alarms about a world without so-called backdoors for law enforcement.

Taking Stock

DHS currently is assessing the risk the Juniper compromise poses to government systems, according to the department.

“It’s not just about the machine,” Aitel said. “It’s about all the data that ever went through the networks that that machine was connected to. It’s really painful. They have to look at their supply chain,” including the many corporate contractors handling agency data. What if one of their major suppliers uses juniper and now they can’t trust that supplier either?”

Many federal agencies do not have a firm grasp on how many systems they have, in general, which could complicate the scavenger hunt.

The Internal Revenue Service could not update 1,300 of its computers from Microsoft Windows XP to Windows 7 because the agency couldn’t find them all, according to a report released by the Treasury Inspector General for Tax Administration. As of the third quarter of fiscal 2015, 17 of the 24 major federal agencies could not automatically identify the number of software programs running on their network, according to Performance.gov, a federal goal-tracking site. And 16 departments could not detect how many devices were connected to it.

Homeland Security, which oversees civilian cybersecurity, has a few tools at its disposal to spur agency action.

DHS spokesman S.Y. Lee said in an emailed statement that the department is aware of reports regarding Juniper’s software and is still evaluating the potential ramifications.

“As we routinely do when such vulnerabilities are brought to light, we are assessing the potential impact, if any, on federal networks, and will take any appropriate mitigation measures in close coordination with interagency partners,” he said. The department is advising agencies toreview the critical steps recommended by Juniper and “to update their software.”

A DHS official told Nextgov that Homeland Security has been and remains in close touch with the company. The department’s U.S. Computer Emergency Readiness Team “has provided information to all federal agencies to patch this potential vulnerability and stands ready to offer further assistance if requested,” the official said.

The 2014 Federal Information Security Modernization Act empowers DHS to issue “binding operational directives,” but it is unclear whether Homeland Security has done so in this situation.

It’s also unknown whether DHS is scanning all other agencies’ networks for vulnerabilities through an intrusion-prevention tool called EINSTEIN, an action permitted under an executive branch memo issued last year. A federal spending bill that Congress cleared last week, and now awaits President Obama’s signature, would cement into law DHS’s ability to scan every civilian agency network.

A Whodunit

The Juniper emergency brings to mind a 2014 governmentwide race to root out “Heartbleed,” a bug discovered in April of that year that allowed hackers to weasel into another type of widely-used encryption software. Similarly, after Chinese spyware pinched private records on 21.5 million former personnel, individuals applying for clearances to handle classified information, and their families. Homeland Security deployed EINSTEIN during both incidents.

An analysis ”suggests that the Juniper culprits repurposed an encryption backdoor previously believed to have been engineered by the NSA, and tweaked it to use for their own spying purposes,” according to Wired.

Aitel, the former spy agency employee, said the Juniper campaign cast too wide a net to be the brainchild of NSA.

The federal government “could not legally covertly trojan the source code of a US company,” he said in a Dec. 18 blog post, shortly after the revelations. Past NSA hacking operations, such as one that allegedly bugged select Cisco equipment shipments en route to adversaries, demonstrate that America’s “policy in this area” is “specificity when it comes to targets.”

Early news reports indicated the FBI is investigating the Juniper matter. On Tuesday, FBI officials referred Nextgov to DHS and said they had no comment on whether any investigation is underway.

Juniper officials on Dec. 17 acknowledged the security vulnerabilities in virtual private network tools ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20, and the company simultaneously released patches.

“During a recent internal code review, Juniper discovered unauthorized code in ScreenOS that could allow a knowledgeable attacker to gain administrative access to NetScreen devices and to decrypt VPN connections,” Juniper Chief Information Officer Bob Worrall said in a post on the company’s website. As of now, the company has not received any reports of the vulnerabilities being exploited.

When Nextgov asked how the company is assisting federal victims, a Juniper spokeswoman said, “We have reached out to affected customers, strongly recommending that they update their systems and apply the patched releases with the highest priority.”

Aliya Sternstein reports on cybersecurity and homeland security systems. She’s covered technology for more than a decade at such publications as National Journal's Technology Daily, Federal Computer Week and Forbes. Before joining Government Executive, Sternstein covered agriculture and derivatives ...
Full bio

By using this service you agree not to post material that is obscene, harassing, defamatory, or
otherwise objectionable. Although Defenseone.com does not monitor comments posted to this site (and
has no obligation to), it reserves the right to delete, edit, or move any material that it deems
to be in violation of this rule.

Thank you for subscribing to newsletters from DefenseOne.com.
We think these reports might interest you:

Federal IT Applications: Assessing Government's Core Drivers

In order to better understand the current state of external and internal-facing agency workplace applications, Government Business Council (GBC) and Riverbed undertook an in-depth research study of federal employees. Overall, survey findings indicate that federal IT applications still face a gamut of challenges with regard to quality, reliability, and performance management.

PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

Federal organizations rely on state-of-the-art IT tools and systems to deliver services efficiently and
effectively, and it takes a vast ecosystem of organizations, individuals, information, and resources to successfully deliver these products. This issue brief discusses the current threats to the vulnerable supply chain - and how agencies can prevent these threats to produce a more secure IT supply chain process.

Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.